Company sued over poor cyber security
By Casey Tonkin
The Australian Securities and Investments Commission (ASIC) is taking financial advice company RI Group to the Federal Court for failing to maintain a “reasonable standard” of cyber security. In its court filings, ASIC alleges that RI Group didn’t do enough to ensure its representatives secured the sensitive personal and financial information of their clients,
citing multiple incidents in which poor cyber risk management resulted in data breaches and fraud attempts. Between December 2016 and May 2018 – while RI Group was still owned by ANZ bank – one of the group’s financial advisors was hit by ransomware and two were hacked through remote access ports. In one instance, a malicious actor logged 155 hours of activity on the server of an RI Group trustee, the Frontier Trust, accessing personal data and identification documents.
It took three months before anybody noticed.
Then three of the Frontier Trust’s clients reported attempted identity theft including “a mail redirection application being lodged with Australia Post and multiple bank accounts being opened without their consent”. Another three months later and 27 of the Frontier Trust’s came forward to say they had experienced unauthorised use of personal information likely stemming from the breach.
A report of the incident found major deficiencies in Frontier Trust’s cyber security including that 90 per cent of desktops operated without up-to-date antivirus software, its mail server had a total lack of filtering, no one was making offsite backups, and – astonishingly – “passwords and other security details [were] found in text files on the server desktop”. In September of 2018, RI brought in a cyber consultant to review the security posture of its other affected representatives – three of them were given a ‘poor’ rating.
According to ASIC’s court filings, the reports found the representatives “had no discernible cybe rsecurity policies, processes and procedures in writing, and no structured security governance program driven from the executive down”. The cyber firm recommended RI conduct reviews of all its representative organisations’ cyber security positions; RI did not do this.
In August 2019, another RI representative’s email was hacked.
Again, ASIC alleges, RI failed to mitigate future risk for this representative and its clients following the breach. RI apparently didn’t even offercyber awareness training or multi-factor authentication. The series of unfortunate cyber events came full circle in April this year when an RI financial advisor who had been hacked two years earlier was breached again – this time due to a “suspected phishing attack”. “[An] unknown party had monitored the [representative’s] email account for a period of time and had access to thousands of email addresses and contact details, as well as over ten thousand emails,” ASIC said.
ASIC is seeking penalties of $11 million or 10 per cent of RI’s parent company, IOOF Group’s, annual turnover (whichever is larger) for the utter failure to properly manage its cyber risk. The regulator also wants to force RI Group to implement “policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls which are reasonably appropriate to adequately manage risk in respect of cyber security and cyber resilience” within three months of the ruling.
It wants to see a written report demonstrating RI’s compliance, too